Why are cookie names created all in uppercase?

Hi,

I am getting a bit annoyed with coldfusion right now, especially the case
insensitivity.
I have been doing a lot of isomorphic JS, but with this current project I
am knotting together JS frontend to CFML backend.
Creating a new cookie, automatically sets the cookiename in Uppercase.
Why would you do that? Why not let the developer decide the case. Now I
have to make changes in my JS because Lucee (and Railo and ACFML) doesnt
allow you to decide the casing.

Another occurrence where casing is an issue is when you create a struct and
add a key with dot notation. The key will then be converted to uppercase
too.
So:
var aStruct = {};
aStruct.someKey=1;

If you dump aStruct it will tell you its key is ASTRUCT=1.
Only when you define it like
aStruct[ ‘someKey’ ] = 1;

does it stay in the same form.

Is this something that is very hard to change?

Okay, I already found an option in the Lucee Admin about dot notation. That
is great. New feature I didn’t have in Railo at the time.On Tuesday, 3 November 2015 15:04:25 UTC+11, Mattijs Spierings wrote:

Hi,

I am getting a bit annoyed with coldfusion right now, especially the case
insensitivity.
I have been doing a lot of isomorphic JS, but with this current project I
am knotting together JS frontend to CFML backend.
Creating a new cookie, automatically sets the cookiename in Uppercase.
Why would you do that? Why not let the developer decide the case. Now I
have to make changes in my JS because Lucee (and Railo and ACFML) doesnt
allow you to decide the casing.

Another occurrence where casing is an issue is when you create a struct
and add a key with dot notation. The key will then be converted to
uppercase too.
So:
var aStruct = {};
aStruct.someKey=1;

If you dump aStruct it will tell you its key is ASTRUCT=1.
Only when you define it like
aStruct[ ‘someKey’ ] = 1;

does it stay in the same form.

Is this something that is very hard to change?

So do I really need to set a cookie by writing a header instead of using
the convenience function cookie, if I want it in lowercase?

Short answer… yes and no. I tend to use headers anyway for cookies
because I find the syntax more concise, but that’s just a personal
preference. Cookies are, for all intents and purposes, a struct, so same
rules apply (e.g. cookie[‘caseSensistive’] would achieve the same thing as
struct[‘caseSensitive’]. I’m not sure about the admin dot notation
affecting the cookie scoped variables… I don’t use that option for case
sensitivity because I want my applications to remain portable across
engines, so I use the struct]‘caseSensitive’] format when I need it to be
case sensitive, and as I already said I use headers to set cookies, ala:

getPageContext().getResponse().addHeader(“Set-Cookie”, “__caseSensitiveName
=myValue#;path=/;domain=.#CGI.HTTP_HOST#;HTTPOnly”);

Now on to a more important topic… are you trying to access CFML cookies
from a JavaScript front-end? Are you aware that this provides an excellent
attack surface for hackers to exploit? Cookies should always be httpOnly,
and should prevent JavaScript from accessing them. Depending on what you’re
trying to accomplish there are different ways to maintain state between
front and back-end, but generally speaking you should avoid tightly
coupling your front and back-end code.

– DennyOn Monday, November 2, 2015 at 11:08:47 PM UTC-5, Mattijs Spierings wrote:

So do I really need to set a cookie by writing a header instead of using
the convenience function cookie, if I want it in lowercase?On Tuesday, 3 November 2015 15:04:25 UTC+11, Mattijs Spierings wrote:

Hi,

I am getting a bit annoyed with coldfusion right now, especially the case
insensitivity.
I have been doing a lot of isomorphic JS, but with this current project I
am knotting together JS frontend to CFML backend.
Creating a new cookie, automatically sets the cookiename in Uppercase.
Why would you do that? Why not let the developer decide the case. Now I
have to make changes in my JS because Lucee (and Railo and ACFML) doesnt
allow you to decide the casing.

Another occurrence where casing is an issue is when you create a struct
and add a key with dot notation. The key will then be converted to
uppercase too.
So:
var aStruct = {};
aStruct.someKey=1;

If you dump aStruct it will tell you its key is ASTRUCT=1.
Only when you define it like
aStruct[ ‘someKey’ ] = 1;

does it stay in the same form.

Is this something that is very hard to change?

Could use the header, however I made my JS cookies uppercase.

Also a viable solution :slight_smile:

So I don’t see any weaknesses right now.

Roger that, figured I’d mention it just in case you were building a state
engine, but sounds like you’ve got a handle on it.

– Denny

Hi Denny,

when I create a cookie with the Cookie function, it is always uppercase
(says the docs and my personal experience).

I create my cookie like:
cookie name="#Arguments.name#" value="#cookieValue#"
expires="#GetHttpTimeString( expiry )#" path="#Arguments.path#";

Could use the header, however I made my JS cookies uppercase.

Concerning your other remark. Don’t worry, I am working on a project where
users are joining a treasure hunt and their initial cookie is created in JS
with their (game) session information. In coldfusion I enrich this cookie
with some more info so for JS to be albe to use the enriched the casing is
very important.
I don’t see how hacker could exploit this by adding extra data in the
cookie which wouldn’t be used by the CFML service anyway. oh and after CFML
writes the cookie is is encrypted anyway. JS only needs to know that the
cookie still exists and only uses it expiry date.
So I don’t see any weaknesses right now.

CheersOn Wednesday, 4 November 2015 03:31:11 UTC+11, Denard Springle wrote:

On Monday, November 2, 2015 at 11:08:47 PM UTC-5, Mattijs Spierings wrote:

So do I really need to set a cookie by writing a header instead of using
the convenience function cookie, if I want it in lowercase?

Short answer… yes and no. I tend to use headers anyway for cookies
because I find the syntax more concise, but that’s just a personal
preference. Cookies are, for all intents and purposes, a struct, so same
rules apply (e.g. cookie[‘caseSensistive’] would achieve the same thing as
struct[‘caseSensitive’]. I’m not sure about the admin dot notation
affecting the cookie scoped variables… I don’t use that option for case
sensitivity because I want my applications to remain portable across
engines, so I use the struct]‘caseSensitive’] format when I need it to be
case sensitive, and as I already said I use headers to set cookies, ala:

getPageContext().getResponse().addHeader(“Set-Cookie”,
“__caseSensitiveName=myValue#;path=/;domain=.#CGI.HTTP_HOST#;HTTPOnly”);

Now on to a more important topic… are you trying to access CFML cookies
from a JavaScript front-end? Are you aware that this provides an excellent
attack surface for hackers to exploit? Cookies should always be httpOnly,
and should prevent JavaScript from accessing them. Depending on what you’re
trying to accomplish there are different ways to maintain state between
front and back-end, but generally speaking you should avoid tightly
coupling your front and back-end code.

– Denny

Thanks buddy,

always good to get some critical answers on any coding.
I reckon I should have someone audit my code when I am done. Hard to come
up with solutions all by your self.On Thursday, 5 November 2015 03:38:17 UTC+11, Denard Springle wrote:

Could use the header, however I made my JS cookies uppercase.

Also a viable solution :slight_smile:

So I don’t see any weaknesses right now.

Roger that, figured I’d mention it just in case you were building a state
engine, but sounds like you’ve got a handle on it.

– Denny